[
https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17315231#comment-17315231
]
Girish Vasmatkar commented on OFBIZ-12033:
------------------------------------------
[~mbrohl] : Separate log in service is not yet implemented without using
session. It will help to have a very minimal service that just does
username/password verification without creating session. That should suffice.
If you plan to have more to it, please share.
[~jleroux] : The cheat sheet is very useful. However, the annotation based
security is something we will have to be careful with because we are using
programmatic approach of configuring resources instead of having separate
resource class for each resource. That itself poses challenge. I am looking
into this a bit and hopefully have something soon.
> Separate login service for API calls
> ------------------------------------
>
> Key: OFBIZ-12033
> URL: https://issues.apache.org/jira/browse/OFBIZ-12033
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Reporter: Girish Vasmatkar
> Assignee: Girish Vasmatkar
> Priority: Minor
>
> We're using {color:#2a00ff}userLogin {color}{color:#000000}service to
> authenticate users before generating auth tokens for REST API and GraphQL
> calls. However, we figured that a session is also getting created and
> returned in response which is defeating the purpose of having an API in
> place. Even though that session is not getting used anywhere when subsequent
> calls are made using the token, we still think it is an extra session lying
> around in tomcat's session cache. {color}
> {color:#000000} {color}
> {color:#000000}Proposal is to implement a new basic userLogin service
> (basicAuthUserLogin) that would just do username/password matching and be
> done with it without ever calling request.getSession(). This will ensure that
> APIs are stateless and no session is generated.{color}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
